Can a scammer commit fraud using just my debit card number and expiry date?
Yes — card-not-present fraud only requires the card number and expiry date, and often the CVV, all of which are obtainable through phishing, skimming, or data breaches.
Last reviewed: 10 June 2026
Explanation
Online purchases do not require the physical card — only the card number, expiry date, and usually the CVV (the three-digit code on the back). This combination is all a scammer needs to make purchases on many websites. The card details can be obtained through phishing sites, skimming devices attached to ATMs or point-of-sale terminals, data breaches at merchants, or dark web purchases of stolen card data.
Debit cards carry more risk than credit cards in a fraud scenario because they draw directly from your bank account. While most banks have fraud protections and a process for disputing debit card charges, the money leaves your account first and the timeline for getting it back is longer. Credit cards have stronger legal protections in most jurisdictions for unauthorised transactions.
Small test charges are a common precursor to larger fraud: attackers first run a micro-transaction (often under a dollar) to verify the card is active before using it for bigger purchases. If you see an unexpected tiny charge from an unfamiliar merchant, treat it as a fraud indicator and contact your bank.
Report unauthorised charges to your bank immediately. Most banks will issue a chargeback and replace your card. The fraud window on debit card disputes is time-sensitive — in the US, Regulation E gives stronger protection if you report within two business days of noticing the charge. Document everything.
Common red flags
- Small unexplained charges (under a few dollars) appear from unfamiliar merchants
- You receive a decline notification for a purchase you didn't attempt
- A larger unexpected transaction follows a small unrecognised charge
- Your card details may have been entered on a site you're no longer sure was legitimate
- You used your card at an ATM or terminal that may have had a skimmer
What to do now
- Enable real-time transaction alerts with your bank so you see every charge as it happens
- Contact your bank immediately if you see any charge you don't recognise
- Ask your bank to cancel the current card and issue a replacement with a new number
- Use a virtual card number for online purchases where possible — many banks and services offer this
- Prefer credit cards over debit cards for online shopping due to stronger fraud protections
- Review all merchant sites where your card is saved and remove it from any you no longer use
Frequently asked questions
What is a virtual card number and how does it protect me?
A virtual card number is a single-use or merchant-locked substitute for your real card number, generated by your bank or a service like Privacy.com. If the virtual number is compromised, your real card is unaffected and the virtual number can be deleted.
Do I have to pay for unauthorised charges on my debit card?
Generally no, provided you report them in a timely manner. In the US, Regulation E limits your liability to zero if reported before any fraudulent transaction occurs, rising to $50 if reported within two business days. Report immediately for the strongest protection.